Vulnerability CVE-2020-28243

Vulnerability Name:

CVE-2020-28243 (CCN-197528)

Assigned:

2020-11-06

Published:

2021-02-25

Updated:

2022-02-22

Summary:

An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.

CVSS v3 Severity:

7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.1 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
6.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): High

CVSS v2 Severity:

4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.2 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-77

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2020-28243

Source: XF
Type: UNKNOWN
saltstack-cve202028243-priv-esc(197528)

Source: MISC
Type: Exploit, Third Party Advisory
https://github.com/stealthcopter/CVE-2020-28243

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20211110 [SECURITY] [DLA 2815-1] salt security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20220103 [SECURITY] [DLA 2480-2] salt regression update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-5756fbf8a6

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-43eb5584ad

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-904a2dbc0c

Source: CCN
Type: SaltStack Web site
Active SaltStack CVE Release 2021-FEB-25

Source: CONFIRM
Type: Vendor Advisory
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

Source: MISC
Type: Exploit, Third Party Advisory
https://sec.stealthcopter.com/cve-2020-28243/

Source: GENTOO
Type: Third Party Advisory
GLSA-202103-01

Source: DEBIAN
Type: Third Party Advisory
DSA-5011

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-28243

Vulnerable Configuration:

Configuration 1:

cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version < 2015.8.10)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2015.8.11 and < 2015.8.13)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2016.3.0 and < 2016.3.4)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2016.3.5 and < 2016.3.6)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2016.3.7 and < 2016.3.8)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2016.3.9 and < 2016.11.3)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2016.11.4 and < 2016.11.5)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2016.11.7 and < 2016.11.10)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2017.5.0 and < 2017.7.8)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2018.2.0 and <= 2018.3.5)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2019.2.0 and < 2019.2.5)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2019.2.6 and < 2019.2.8)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 3000 and < 3000.6)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 3001 and < 3001.4)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 3002 and < 3002.5)

Configuration 2:

cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:saltstack:salt:2016.11.6:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2016.3.4:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2015.8.10:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2015.8.13:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2016.3.6:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2016.3.8:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2016.11.3:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2016.11.5:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2016.11.10:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2017.7.8:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2018.3.5:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2019.2.5:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2019.2.8:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:3000.6:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:3001.4:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:3002.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8092	P	salt-transactional-update-3005.1-150500.2.13 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:8017	P	graphviz-perl-2.48.0-150400.1.8 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:7668	P	libsndfile-devel-1.0.28-150000.5.17.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7784	P	python3-salt-3005.1-150500.2.13 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:622	P	Security update for bind (Important) (in QA)	2022-09-23
oval:org.opensuse.security:def:93157	P	(Important)	2022-07-14
oval:org.opensuse.security:def:93310	P	(Important)	2022-07-06
oval:org.opensuse.security:def:3181	P	libgssglue1-0.4-3.76 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3567	P	libXtst6-1.2.2-7.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3522	P	hardlink-1.0-6.38 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3537	P	kdump-0.8.16-9.2 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94811	P	python3-salt-3004-150400.6.16 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95152	P	salt-api-3004-150400.6.16 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94679	P	libosinfo-1.7.1-150400.8.6 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95167	P	salt-transactional-update-3004-150400.6.16 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:291	P	python3-salt-3002.2-6.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:99202	P	(Important)	2022-01-25
oval:org.opensuse.security:def:113236	P	python3-salt-3002.2-6.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:1220	P	Security update for the Linux Kernel (Important)	2021-10-12
oval:org.opensuse.security:def:106653	P	python3-salt-3002.2-6.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:2283	P	salt-api-3002.2-6.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101392	P	python3-pywbem-0.11.0-2.21 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63372	P	salt-api-3002.2-6.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101398	P	salt-api-3002.2-6.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62309	P	python3-salt-3002.2-6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101067	P	python3-salt-3002.2-6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72050	P	python3-salt-3002.2-6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:99397	P	(Important)	2021-07-20
oval:org.opensuse.security:def:9453	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:95987	P	Security update for py26-compat-salt (Critical)	2021-02-26
oval:org.opensuse.security:def:92646	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:109326	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:69986	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:97242	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:10397	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:8706	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:20612	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:92057	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:118417	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:111237	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:69106	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:42867	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:9647	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:96098	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:92845	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:109454	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:70347	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:97243	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:99596	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:8896	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:21013	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:92252	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:118550	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:69593	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:42882	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:102660	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:9846	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:99007	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:93004	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:38434	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:70537	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:97244	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:64656	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:73778	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:99795	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:9091	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:95947	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:92447	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:108058	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:69787	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:49083	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:102788	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:10207	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:38449	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:91692	P	Security update for py26-compat-salt (Critical)	2021-02-26
oval:org.opensuse.security:def:117572	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:68757	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:76537	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:100107	P	Security update for salt (Critical)	2021-02-26

BACK